Businesses have policies in place to cover data management and the management of assets on which data is stored, but these policies rarely keep up with changes in technology and processes.
When it comes to managing assets and data, a significant area that is often overlooked is end-of-life — when the data, or the device storing it, is no longer needed, according to Fredrik Forslund, VP of Enterprise and Cloud Erasure Solutions at Blancco.
Forslund told information security and risk management senior executives at a Business Reporter breakfast briefing that losing control of your data is never an acceptable reason for a data breach. Data and asset managers must ensure that they always know where their data is and how it is secured, and that means making sure that decommissioned devices are properly erased, so that any sensitive data that they contained can no longer be accessed.
A second, and increasingly important, objective is to manage sustainability. It is no longer acceptable for businesses to destroy functioning hardware that could be reused or recycled. However, leaving used devices intact without completely and permanently destroying the data can also lead to a data leak.
The danger of data hoarding
And there is a lot of data at risk. Attendees at the briefing, echoing a situation common to most companies, identified data hoarding as a major problem: Storage has now become so cheap that many companies keep everything, sometimes because they aren’t sure whether they will need it later and other times because they don’t know what data they have or whether they should dispose of it.
As one attendee put it, if employees had to print out and store every email they received, they would soon delete unnecessary messages. When the emails are simply stored invisibly as data, it is easier to never delete them.
For companies that have a strategy of growing through acquisition, the problem can be magnified because they are continually adding more data, often on legacy systems, without being sure of what they have or why they are keeping it.
One attendee from a health insurance company says she often reminds businesses that hoarded data could be a major liability in the event of a breach because it could expose the firm to a bigger regulatory fine.
The power of regulation
In fact, regulation was frequently mentioned as a driver for reducing the amount of data held and for getting a detailed overview of what was being kept. An attendee from a major bank said that her company has a three-year retention policy on emails because messages are considered discoverable in certain legal cases.
For others, the recent advent of GDPR, as well as the California Consumer Privacy Act (CCPA) in the US has forced them to take stock of the data that they hold and consider why they are keeping it. Even then, said one delegate from a credit card company, there is a “long tail” of data that still remains to be sorted.
The threat of a fine from regulators or the negative publicity surrounding a breach is a good incentive to ensure that policies are not increasing the risk of a data breach, but some attendees said they would like to see more action from regulators. In some jurisdictions, the regulators appear hesitant to act. This is unhelpful to companies, who need clear guidance.
Outsourcing device disposal
Most of those present said that they entrusted the task of disposing of data and devices to a third party. Due diligence during the procurement process is meant to ensure these companies are following proper procedures and erasing data using effective methods. A growing trend is to insist that assets are properly erased before leaving the organisation, so that no data leaves the premises.
Increasingly, attendees said, these companies also factor in sustainability and handle the reuse or recycling of devices after they have been properly erased.
However, businesses have to trust that these third parties are following correct procedures. An attendee from an investment company said that he had once audited a third party and found that one in 10 devices hadn’t been erased at all. He emphasised the importance of properly encrypting data on devices so that, if an un-erased device is recycled, the data is still secure. This solution is not perfect, but it offers some protection.
As companies struggle with these issues, the challenges are getting more complex. Businesses now have to consider how to secure data used by artificial intelligence, stored on internet of things devices, and in the cloud.
The cloud, warned Forslund, has been engineered to reduce the risk of data being lost, but the downside of that is that it is hard to be sure that a file has been removed. There is frequently a copy retained somewhere, and it is often unclear whether the business or the cloud provider is liable for that risk. Forslund added that more customers are exploring options to actively erase cloud data from both private and public clouds. In private clouds, customers can access the infrastructure directly, while public cloud services provide logical access to stored data. But with the cloud still being new for many businesses, many still don’t have proper policies in place for data erasure.
Summing up, Forslund said that a goal for the future would be to proactively automate data erasure with an audit trail as part of an organisation’s data protection and controls. That way, sanitising data at various locations and ensuring proper procedures does not consume more and more of the company’s resources. And getting to that point, he explained, will take time and require input from expert partners, as well as sound data protection policies that are properly implemented.
For more information, click here.